Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Best practices for proactive security testing
S E C 2 1 5 - R
Kevin Higgins
Senior Cloud Infrastructure Architect
Amazon Web Services
Agenda
Introduction to threat modeling
Exercise—threat modeling AWS architectures
Demo
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Threat modeling
What is threat modeling?
Process and methodologies
Components of a threat modelAssets and information flows (Amazon EC2, Amazon S3, Amazon RDS, data)
System edges and entry points
External dependencies and assumptions
Classes of actors and action/trust (app users, admin, services)
Threat model outputRisks and mitigations
Simple 3-tier applicationAWS account
VPC
Amazon EC2
Elastic Load Balancing
Amazon RDS
Bucket with
objects
Amazon
CloudFront
Amazon Route 53
Application
users
Cloud
architects
Developers,
DBAs, testers
Objectives:
1. Security group not
open to 0.0.0.0/0
2. S3 bucket not publicly
readable/writable
3. Amazon EBS and
Amazon RDS are
encrypted
4. All admins access AWS
account via SAML-
based federation
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS components
Amazon EC2 and Amazon S3
Let’s enumerate threats to these components in isolation
List out AWS constructs that represent trust boundaries
For each threat, let us enumerate a directive by policy, preventive, detective, and responsive countermeasures to reduce the risk
Let us develop a test case/acceptance criteria along the lines of BDD
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
30+ free digital courses cover topics related to cloud security, including Introduction to Amazon GuardDuty and Deep Dive on Container Security
Learn security with AWS Training and Certification
Visit aws.amazon.com/training/paths-specialty/
Classroom offerings, like AWS Security Engineering on AWS, feature AWS expert instructors and hands-on activities
Validate expertise with the AWS Certified Security - Specialty exam
Resources created by the experts at AWS to help you build and validate cloud security skills
Thank you!
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Kevin Higgins
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Related Documents
